Method and apparatus for determining security information of an unknown file in a cloud security system

ABSTRACT

A method for determining security information of an unknown file in a cloud security system is provided. The method includes: a cloud security serving end receives file security querying information reported by a cloud client end when a preconfigured monitoring point is triggered, wherein the file security querying information comprises identifier information and behavior information of a file; creates a behavior sequence of the file within a lifecycle according to the file security querying information of the file, analyzes the behavior sequence of the file within the lifecycle, and determines file security information of the file according to an analyzed result.

FIELD OF THE DISCLOSURE

The present disclosure relates to network security technical field, andmore particularly, to a method and an apparatus for determining securityinformation of an unknown file in a cloud security system.

BACKGROUND OF THE DISCLOSURE

Cloud security system refers to a system which stores file securityinformation at a cloud security serving end. Cloud client end obtainsprompt information indicating whether a file is safe by inquiring filesecurity information stored in the cloud security serving end.

The cloud security system plays an important role in current networksecurity field. Based on the cloud security system, the cloud client endmay obtain the prompt information indicating whether the file is safethrough querying the file security information in the cloud securityserving end, without performing a security scan to the cloud client end.

SUMMARY OF THE DISCLOSURE

Examples of the present disclosure provide a method and an apparatus fordetermining security information of unknown file in a cloud securitysystem, so as to determine the security information of the unknown filein the cloud security system.

The technical solution of the present disclosure is as follows.

A method for determining security information of an unknown file in thecloud security system includes:

receiving, by a cloud security serving end, file security queryinginformation reported by a cloud client end when a preconfiguredmonitoring point is triggered, wherein the file security queryinginformation comprises identifier information and behavior information ofa file; and

creating, by the cloud security serving end, a behavior sequence of thefile within a lifecycle according to the file security queryinginformation of the file, analyzing the behavior sequence of the filewithin the lifecycle, and determining file security information of thefile according to an analyzed result.

An apparatus for determining security information of an unknown file inthe cloud security system includes: a receiving module, a creatingmodule, an analyzing module and a determining module;

the receiving module is to receive file security querying informationreported by a cloud client end when a preconfigured monitoring point istriggered, wherein the file security querying information comprisesidentifier information and behavior information of a file;

the creating module is to create a behavior sequence of the file withina lifecycle according to file security querying information of the file;

the analyzing module is to analyze the behavior sequence of the filewithin the lifecycle; and

the determining module is to determine file security information of thefile according to an analyzed result of the analyzing module.

A non-transitory computer-readable storage medium, comprising a set ofinstructions for processing information is provided, the set ofinstructions to direct at least one processor to perform acts of:

receiving, by a cloud security serving end, file security queryinginformation reported by a cloud client end when a preconfiguredmonitoring point is triggered, wherein the file security queryinginformation comprises identifier information and behavior information ofa file; and

creating, by the cloud security serving end, a behavior sequence of thefile within a lifecycle according to the file security queryinginformation of the file, analyzing the behavior sequence of the filewithin the lifecycle, and determining file security information of thefile according to an analyzed result.

It can be seen from the above that, in the present disclosure, afterreceiving the file security querying information from the cloud clientend, the cloud serving end associates the behavior information carriedin the file security querying information reported by the cloud clientend, creates a behavior sequence of the file within a lifecycle,analyzes the behavior sequence of the file within the lifecycle anddetermine file security information of the file according to an analyzedresult. Thus, in the present disclosure, the cloud security serving endassociates multiple behaviors of an unknown file within the lifecyclethrough associating the behavior sequence of the unknown file. Theassociated multiple behaviors, i.e., the behavior sequence provides aneffective basis for determining the file security information of theunknown file. Thus, the file security information of the unknown filecan be determined. In addition, the present disclosure does not requiresample collection operations. Instead, the file security queryinginformation reported by the cloud client end is utilized to generate thebehavior sequence of the unknown file within the lifecycle. Thus,efficiency for determining the file security information of the unknownfile is increased.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a flowchart of a cloud client end obtaining securityinformation from the cloud security serving end.

FIG. 2 shows an example of a method for determining file securityinformation in the cloud security system according to the presentdisclosure.

FIG. 3 shows another example of a method for determining the filesecurity information in the cloud security system according to thepresent disclosure.

FIG. 4 shows an example of an apparatus for determining file securityinformation in the cloud security system according to the presentdisclosure.

FIG. 5 shows another example of an apparatus for determining filesecurity information in the cloud security system according to thepresent disclosure.

FIG. 6 shows still another example of an apparatus for determining filesecurity information according to the present disclosure.

DETAILED DESCRIPTION OF THE DISCLOSURE

The present disclosure will be described in further detail hereinafterwith reference to accompanying drawings and examples to make thetechnical solution and merits therein clearer.

FIG. 1 shows a flowchart of a cloud client end obtaining securityinformation from a cloud security serving end.

As shown in FIG. 1, the process includes the following.

At block 101, the cloud client end transmits information such as filerecognizing code to the cloud security serving end.

At block 102, the cloud security serving end determines whether a filecorresponding to the information transmitted by the cloud client end issafe through inquiring a file blacklist or a file whitelist.

At block 103, the cloud security serving end determines whether the filecorresponding to the information transmitted by the cloud client end isin the blacklist or whitelist; if yes, the method proceeds to block 104;otherwise, the method proceeds to block 105.

At block 104, the cloud security serving end returns, according toinquired file security information, a file security information promptmessage to the cloud client end.

At block 105, the cloud security serving end returns a prompt message tothe cloud client end indicating that the file is an unknown file. If afile is not found in the whitelist or the blacklist, this file is anunknown file.

In view of the above, if the file security information of a particularfile can be found in the blacklist or whitelist at the cloud securityserving end, this file is a known file. With respect to unknown files,current cloud security system cannot determine their securityinformation.

In examples of the present disclosure, after receiving file securityquerying information from the cloud client end, if the cloud securityserving end does not find security information of the file, it obtainsbehavior information of the file within a lifecycle and creates abehavior sequence of the file within the lifecycle, analyzes thebehavior sequence of the file within the lifecycle, and determines thesecurity information of the file according to an analyzed result.

The cloud security serving end may obtain the behavior information ofthe file within the lifecycle via various methods. For example, afterreceiving the file security querying information from the cloud clientend, the cloud security serving end, if not find the securityinformation of the file, informs the cloud client end to report thebehavior information of the file at predetermined time or when apredetermined trigger condition is met, e.g., when the file triggers apreconfigured monitoring point.

In one example of the present disclosure, the cloud security serving endmay create, after receiving the file security querying informationreported by the cloud client end when the preconfigured monitoring pointis triggered, the behavior sequence of the file within the lifecycleaccording to the file security querying information reported by thecloud client end, analyze the behavior sequence of the file within thelifecycle and determine the file security information of the fileaccording to the analyzed result. Based on the file security queryinginformation, the cloud security serving end creates the behaviorsequence of the file within the lifecycle. Thus, multiple behaviors ofthe file within the lifecycle are associated. The associated multiplebehaviors, i.e., the behavior sequence provides an effectivedetermination basis for determining the file security information. Thus,the file security information can be determined effectively. Since thereare innumerable malicious files in current networks, file securitydatabase may be not updated timely. The present disclosure may solve theproblem of determining the file security information of mass unknownfiles. In addition, the present disclosure combines the reporting of thefile behavior information of the file with the file security queryinginformation, i.e., report the file security querying information whenthe preconfigured monitoring point is triggered, and carry the filebehavior information in the file security querying information. Thus,the querying procedure and determining procedure of the file securityinformation may be combined into one procedure. One message, i.e., thefile security querying information, may be utilized to realize thequerying of the file security information and the reporting of the filebehavior information. The procedure of querying the file securityinformation and determining the file security information of the unknownfile and message interactions are simplified.

FIG. 2 shows an example of a method for determining file securityinformation in a cloud security system according to the presentdisclosure.

As shown in FIG. 2, the method includes the following.

At block 201, a cloud security serving end receives file securityquerying information reported by a cloud client end when a preconfiguredmonitoring point is triggered, wherein the file security queryinginformation includes identifier information and behavior information ofa file.

At block 202, the cloud security serving end creates a behavior sequenceof the file within a lifecycle according to the file security queryinginformation of the file.

Since the file security querying information includes the fileidentifier information and the file behavior information, it is possibleto create the behavior sequence of the file within the lifecycleaccording to multiple pieces of file security querying informationreported by the cloud client end with respect to the file.

At block 203, the cloud security serving end analyzes the behaviorsequence of the file within the lifecycle.

Although it is impossible to determine the file security information ofan unknown file according to a single behavior of the unknown file,multiple behaviors of the unknown file within the lifecycle form thebehavior sequence, i.e., the multiple behaviors of the file within thelifecycle are associated, may act as a basis for determining the filesecurity information. For example, after started, an unsigned programreleases and loads an unknown driver, adds itself as a starting item,visits a malicious URL and copies itself to all disks. Such a behaviorsequence is a high risk behavior sequence and the unknown file may bedetermined as an unsafe file.

At block 204, the cloud security serving end determines the filesecurity information of the file according to the analyzed result.

In the method as shown in FIG. 2, after determining the file securityinformation of the file, the cloud security serving end may also performa series of operations according to the file security information of thefile. For example, if it is determined that the file is a safe file, aprompt message indicating that the file is safe may be returned to thecloud client end. If it is determined that the file is an unsafe file, aprompt message indicating that the file is unsafe may be returned to thecloud client end. It is also possible to prompt the cloud client end toperform an antivirus operation.

In the above method, the monitoring point may be configured in anoperating system of the cloud client end, used for monitoring positionsthat tend to be modified by malicious files, e.g., monitor processes,files, a register table and/or network behaviors of the cloud clientend. Different risky levels may be assigned to different monitoringpoints according to dangerous degrees to the cloud client end.

When the monitoring point of the cloud client end is triggered, thecloud client end reports the file security querying information withrespect to the file triggering the monitoring point. The file behaviorinformation included in the file security querying information includesbut is not limited to: information of a process triggering themonitoring point, object information operated by the process, and/ordetailed action information of the process.

When analysis is performed to the behavior sequence of the file withinthe lifecycle, the cloud security serving end may analyze the behaviorsequence of the file within the lifecycle according to the file behaviorsequence model created according to file behavior sequences of safefiles and/or file behavior sequences of unsafe files, so as to obtainthe security level of the file.

The file behavior sequence model may be realized by an artificialintelligence (AI) method. For example, the file behavior sequence modelincludes but is not limited to: an expert system insensitive to outsidechanges; Bayesian decision system, genetic algorithm system, neuralnetwork system which have self-study capability; and effectivecontext-related classification Markov chain system used for abnormaldetection, etc.

After the security level of the file is obtained through analyzing thebehavior sequence of the file within the lifecycle, the cloud securityserving end may determine the file security information of the fileaccording to the security level.

For example, if the security level of the file is higher than a firstpredefined threshold, the file is determined as a safe file, i.e., thefile security information labels the file as a safe file. If thesecurity level of the file is lower than a second predefined threshold,the file is determined as an unsafe file, i.e., the file securityinformation labels the file as an unsafe file.

If the security level determined according to the behavior sequence ofthe file is not enough to determine whether the file is safe or not,e.g., when the security level is between the first threshold and thesecond threshold, the cloud security serving end may inquire a statisticinformation database for a statistical result of feedback informationwith respect to the file. The security level of the file and thestatistical result of the feedback information with respect to the fileare weighted. The file security information of the file is determinedaccording to a weighted result.

The statistic information database is used for storing the feedbackinformation of the unknown file. The feedback information may includebut is not limited to: running times of the unknown file and selectiondistribution information of an operation type of the unknown file, etc.For example, a particular unknown file is downloaded for 1000 times byusers, 239 users select to allow the running of the file, whereas otherusers select to forbid the running of the file. After receiving thesecurity prompt information returned by the cloud client end withrespect to the unknown file, the cloud security serving end operatesaccording to the security prompt information (e.g., allow the file torun, or forbid the file to run, etc.) and returns operation informationof the file to the cloud client end. The cloud security serving endupdates the statistic information database according to the operationinformation returned by the cloud client end.

Besides used for determining the file security information through beingweighted together with the security level generated by the behaviorsequence of the file within the lifecycle, the information in thestatistic information database may be further used for assisting theclient end to select an operation to the unknown file.

In particular, if the cloud security serving end does not find the filesecurity information of a particular file in the file security database,it is determined that the file is an unknown file. With respect to thisfile, the cloud security serving end may inquire the statisticinformation database for the statistical result of feedback informationwith respect to this file and return security prompt information to thecloud client end according to the statistical result of the feedbackinformation. For example, the security prompt information may includebut is not limited to: running times of the unknown file, distributioninformation of selections of operation types of the unknown file.

In view of the above, through a bi-directional feedback method, i.e.,the cloud client end feeds back operation information of the unknownfile, and the cloud security serving end returns statistical result ofthe feedback information with respect to the unknown file afterreceiving the file security querying information of the unknown file,effective information about the unknown file is provided, including butis not limited to running times of the unknown file and selectiondistribution information of operation types of the unknown file, so asto assist the client end to select a proper operation type to theunknown file. For example, the cloud security serving end returnsinformation to the client end indicating that majority of other usersselect to forbid a program, which indicates that most users do not trustthis program. Unless knowing the purpose of the program, the user mayselect to forbid the running of the program, so as to avoid running ofthe malicious program. On the other hand, the statistical information ofselections of the users may be updated continuously by the cloudsecurity serving end.

The bi-directional feedback method is especially effective duringinitial active period of the unknown file. For example, when the userdownloads a program and the program is to be loaded and running, theclient end monitors this action and performs a cloud inquiry. At thistime, the cloud security serving end does not have the file securityinformation of this file at the moment. Thus, the cloud security servingend searches the statistical information database and returnsstatistical information of usage and selection situations of other usersto the client end. The client end may use the statistical information todetermine whether to run the program. Then the cloud client end feedsback the selection information of the user to the cloud security servingend.

In view of the above, the present disclosure associates a plurality ofbehaviors of the file within the lifecycle according to the filesecurity querying information of the file, generates a behavior sequenceto provide a basis for determining the file security information of thefile, so as to determine the file security information of the unknownfile. Specifically, when being combined with the feedback information,security information may be created better for the unknown file, whichsolves the problem of determining the security information of massunknown files.

FIG. 3 shows an example of a method for determining file securityinformation in a cloud security system according to the presentdisclosure.

As shown in FIG. 3, the method includes the following.

Block 301 is similar to block 201.

At block 302, the cloud security serving end inquires a file securitydatabase according to file security querying information reported by acloud client end.

At block 303, the cloud security serving end determines whether filesecurity information of the file corresponding to the file securityquerying information is found, if yes, block 304 is performed;otherwise, block 305 is performed.

At block 304, file security information of the file is determinedaccording to the inquiry result and then the method ends.

In this block, the file security information searched out may bedetermined as the file security information of the file and is returnedto the cloud client end.

Blocks 305˜307 are similar to blocks 202˜204 and are not repeatedherein.

In accordance with the above method examples an example of the presentdisclosure provides an apparatus, as shown in FIG. 4.

FIG. 4 shows an example of an apparatus for determining file securityinformation in a cloud security system according to the presentdisclosure.

As shown in FIG. 4, the apparatus includes a receiving module 401, acreating module 402, an analyzing module 403 and a determining module404.

The receiving module is to receive file security querying informationreported by a cloud client end when a preconfigured monitoring point istriggered, wherein the file security querying information includesidentifier information of a file and behavior information of the file.

The creating module 402 is to create a behavior sequence of the filewithin a lifecycle according to the file security querying informationof the file.

The analyzing module 403 is to analyze the behavior sequence of the filewithin the lifecycle.

The determining module 404 is to determine file security information ofthe file according to an analyzed result of the analyzing module 403.

The analyzing module 43 may analyze the behavior sequence of the filewithin the lifecycle based on a file behavior sequence model to obtain asecurity level of the file, wherein the file behavior sequence model iscreated according to file behavior sequences of safe files and/or filebehavior sequences of unsafe files.

The determining module 404 may determine the file security informationof the file according to the security level determined by the analyzingmodule 304. If the security level is higher than a first threshold, thefile security information labels the file as a safe file. If thesecurity level is lower than a second threshold, the file securityinformation labels the file as an unsafe file.

FIG. 5 shows another example of an apparatus for determining filesecurity information according to the present disclosure. As shown inFIG. 5, the apparatus includes: a receiving module 401, a creatingmodule 402, an analyzing module 403, a determining module 504 and aninquiring module 505.

Functions and operations of the receiving module 401, creating module402 and analyzing module 403 in FIG. 5 are similar to thosecorresponding modules in FIG. 4 and are not repeated herein.

The inquiring module 505 is to inquire a file security databaseaccording to the file security information reported by the cloud clientend before the creating module 402 creates the behavior sequence of thefile within the lifecycle according to the file security queryinginformation of the file.

The determining module 504 is to determine the file security informationof the file according to an inquiry result of the inquiring module 505if the inquiring module 505 finds the file security information of thefile, and determine the file security information of the file accordingto the analyzed result of the analyzing module 403 if otherwise.

FIG. 6 shows still another example of an apparatus for determining filesecurity information according to the present disclosure. As shown inFIG. 6, the apparatus includes a receiving module 601, a creating module402, an analyzing module 403, a determining module 604, an inquiringmodule 605 and a transmitting module 606.

Functions and operations of the creating module 402 and analyzing module403 are similar to those of corresponding modules in FIG. 4 and are notrepeated herein.

The inquiring module 605 is to inquire a statistic information databaseaccording to the file security querying information reported by thecloud client end if the security level determined by the determiningmodule 604 is lower than a first threshold and is higher than a secondthreshold, to obtain a statistical result of feedback information withrespect to the file from the statistic information database.

Besides the functions similar to the determining module 404 in FIG. 4and determining module 504 in FIG. 5, the determining module 604 isfurther to determine the file security information of the file accordingto the statistical result of the feedback information obtained by theinquiring module 605 and the security level of the file, e.g., assignweights to the statistical result of the feedback information and thesecurity level and determine the file security information according toa weighted result.

The transmitting module 606 is to return security prompt information tothe cloud client end according to the statistical result of the feedbackinformation obtained by the inquiring module 605, such that the cloudclient end operates the file according to the file security promptinformation.

Besides the functions similar to the receiving module 401 in FIG. 4, thereceiving module 601 is further to receive operation information of thecloud client end to the file, and update the statistic informationdatabase according to the operation information.

An example of the present disclosure further provides a non-transitorymachine readable storage medium, including a set of instructionsexecutable by one or more processors to perform the method fordetermining security information of an unknown file. In particular, asystem or an apparatus equipped with storage medium may be provided. Thestorage medium comprises a set of program codes executable by aprocessor (e.g., CPU or MCU) of the system or apparatus to performactions of any example described above.

The program codes stored on the storage medium may realize the functionsof any example described above. Therefore, the program codes and thestorage medium storing the program codes form part of the presentdisclosure.

The storage medium storing the program codes may include floppy disk,hard disk, magnetic disk, compact disk (e.g., CD-ROM, CD-R, CD-RW,DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), magnetic tape, non-transitory storagecard and ROM. In one example, the program codes may be downloaded from aserver computer via a communication network.

It should be noted that, some or all operations may also be performed byan operating system of a computer based on the program codes toimplement functions of the examples of the present disclosure.

In addition, the program codes may be read from the storage medium andwritten in a memory in an extended card inserted in the computer orwritten in a memory in an extended unit connected with the computer.Thereafter, the program codes are executed by a processor in theextended card or the extended unit to perform all or some operations, soas to implement functions of the examples described above.

What has been described and illustrated herein is a preferred example ofthe disclosure along with some of its variations. The terms,descriptions and figures used herein are set forth by way ofillustration only and are not meant as limitations. Many variations arepossible within the spirit and scope of the disclosure, which isintended to be defined by the following claims—and their equivalents—inwhich all terms are meant in their broadest reasonable sense unlessotherwise indicated.

1. A method for determining security information of an unknown file,comprising: receiving, by a cloud security serving end, file securityquerying information reported by a cloud client end when a preconfiguredmonitoring point is triggered, wherein the file security queryinginformation comprises identifier information and behavior information ofa file; and creating, by the cloud security serving end, a behaviorsequence of the file within a lifecycle according to the file securityquerying information of the file, analyzing the behavior sequence of thefile within the lifecycle, and determining file security information ofthe file according to an analyzed result; wherein the analyzing thebehavior sequence of the file within the lifecycle and determining filesecurity information of the file according to the analyzed resultcomprises: analyzing the behavior sequence of the file within thelifecycle according to a file behavior sequence model created based onfile behavior sequences of safe files and/or file behavior sequences ofunsafe files, to obtain a security level of the file; if the securitylevel is higher than a first threshold, determining the file securityinformation of the file to be a safe file; if the security level islower than a second threshold, determining the file security informationto be an unsafe file; if the security level is lower than the firstthreshold and higher than the second threshold, the cloud securityserving end inquiring a statistic information database to obtain astatistical result of feedback information of the file, and determiningthe file security information of the file according to the securitylevel and the statistical result of the feedback information. 2.(canceled)
 3. (canceled)
 4. The method of claim 1, wherein thedetermining the file security information of the file according to thesecurity level and the statistical result of the feedback informationcomprise: weighting the statistical result of the feedback informationand the security level, and determining the file security informationaccording to a weighted result.
 5. The method of claim 1, furthercomprising: after the cloud security serving end determines the filesecurity information of the file according to the security level of thefile and the statistical result of the feedback information of the file,transmitting security prompt information to the cloud client end, suchthat the cloud client end operates the file according to the securityprompt information after receiving the security prompt informationtransmitted by the cloud security serving end and returns operationinformation of the file to the cloud security serving end, updating, bythe cloud security serving end, the statistic information databaseaccording to the operation information returned by the cloud client end.6. The method of claim 1, further comprising: before creating thebehavior sequence of the file within the lifecycle according to the filesecurity querying information of the file, inquiring, by the cloudsecurity serving end, a file security database according to the filesecurity querying information reported by the cloud client end, if thefile security information of the file is found, determining the filesecurity information of the file according to an inquiry result;otherwise, executing the process of creating the behavior sequence ofthe file within the lifecycle according to the file security queryinginformation of the file.
 7. The method of claim 1, wherein thepreconfigured monitoring point is in an operating system of the cloudclient end, used for monitoring a process, a file, a registry tableand/or a network behavior of the cloud client end.
 8. The method ofclaim 7, wherein the monitoring point has a risky level corresponding toa dangerous degree to the cloud client end.
 9. The method of claim 1,wherein the behavior information of the file comprises: information of aprocess triggering the monitoring point, object information operated bythe processed, and/or action information of the process.
 10. Anapparatus for determining security information of an unknown file in acloud security system, comprising: a receiving module, a creatingmodule, an analyzing module and a determining module; the receivingmodule is to receive file security querying information reported by acloud client end when a preconfigured monitoring point is triggered,wherein the file security querying information comprises identifierinformation and behavior information of a file; the creating module isto create a behavior sequence of the file within a lifecycle accordingto file security querying information of the file; the analyzing moduleis to analyze the behavior sequence of the file within the lifecycle;and the determining module is to determine file security information ofthe file according to an analyzed result of the analyzing module;wherein the analyzing module is to analyze the behavior sequence of thefile within the lifecycle according to a file behavior sequence modelcreated based on file behavior sequences of safe files and/or filebehavior sequences of unsafe files, to obtain a security level of thefile; the determining module is to determine the file securityinformation of the file to be a safe file if the security level ishigher than a first threshold, and determine the file securityinformation to be an unsafe file if the security level is lower than asecond threshold; the apparatus further comprising: an inquiring module,to inquire a statistic information database to obtain a statisticalresult of feedback information of the file if the security level islower than the first threshold and higher than the second threshold, andthe determining module is further to determine the file securityinformation of the file according to the security level and thestatistical result of the feedback information.
 11. (canceled) 12.(canceled)
 13. The apparatus of claim 10, wherein the determining moduleis further to weight the statistical result of the feedback informationand the security level, and determine the file security informationaccording to a weighted result
 14. The apparatus of claim 10, furthercomprising: a transmitting module; the transmitting module is totransmit, after the determining module determines the file securityinformation of the file according to the security level of the file andthe statistical result of the feedback information of the file, securityprompt information to the cloud client end, such that the cloud clientend operates the file according to the security prompt information afterreceiving the security prompt information; the receiving module isfurther to receive operation information of the file returned by thecloud client end, and update the statistic information databaseaccording to the operation information returned by the cloud client end.15. (canceled)
 16. The apparatus of claim 10, wherein the preconfiguredmonitoring point is in an operating system of the cloud client end, usedfor monitoring a process, a file, a registry table and/or a networkbehavior of the cloud client end.
 17. The apparatus of claim 16, whereinthe monitoring point has a risky level corresponding to a dangerousdegree to the cloud client end.
 18. The apparatus of claim 10, whereinthe behavior information of the file comprises: information of a processtriggering the monitoring point, object information operated by theprocessed, and/or action information of the process.
 19. Anon-transitory machine-readable storage medium, comprising a set ofinstructions executable by one or more processors to perform actions of:receiving, by a cloud security serving end, file security queryinginformation reported by a cloud client end when a preconfiguredmonitoring point is triggered, wherein the file security queryinginformation comprises identifier information and behavior information ofa file; and creating, by the cloud security serving end, a behaviorsequence of the file within a lifecycle according to the file securityquerying information of the file, analyzing the behavior sequence of thefile within the lifecycle, and determining file security information ofthe file according to an analyzed result; wherein the analyzing thebehavior sequence of the file within the lifecycle and determining filesecurity information of the file according to the analyzed resultcomprises: analyzing the behavior sequence of the file within thelifecycle according to a file behavior sequence model created based onfile behavior sequences of safe files and/or file behavior sequences ofunsafe files, to obtain a security level of the file; if the securitylevel is higher than a first threshold, determining the file securityinformation of the file to be a safe file; if the security level islower than a second threshold, determining the file security informationto be an unsafe file; if the security level is lower than the firstthreshold and higher than the second threshold, the cloud securityserving end inquiring a statistic information database to obtain astatistical result of feedback information of the file, and determiningthe file security information of the file according to the securitylevel and the statistical result of the feedback information.